IP over GRE tunnel in SROS using PXC
- Unused port to be configured as pxc
- Public and private service – Public should be on IES service. Private can be either on same IES or VPRN service
- Interface under public service and GRE tunnel local IP should be on same subnet and this subnet should be advertised to the Internet for remote destination to reach the router.
- Physical port used for pxc should be configured for hybrid mode and dot1x tunneling (this is only for internal purposes and does not impact ingress/egress traffic).
- Two /30 or /31 subnets:
- /30 to be used on the network interface towards the Internet peer
- /30 to be used on the public IES interface and GRE tunnel local IP
Traffic flows through PXC-based tunnels in the following ways:
-
In the upstream direction (public to private), the encapsulated traffic is forwarded to a public tunnel interface if the destination address matches the local or gateway address of a GRE tunnel. As the traffic passes through the PXC port, the tunnel header is removed, the payload IP packet is delivered to the private service, and from there, the traffic is forwarded again based on the destination address of the payload IP packet.
-
In the downstream direction (private to public), unencapsulated traffic belonging to the private service is forwarded into the tunnel by matching a route with the GRE tunnel as next-hop. The route can be configured statically, learned by running OSPF on the private tunnel interface or by running BGP over the tunnel. After clear traffic is forwarded to the PXC port, it is encapsulated in the GRE header and passed to the public service, and from there, the traffic is forwarded again based on the destination address of the GRE header.
(pr)[/configure router "Base"]
A:admin@sr101# info interface "To-Peering"
port 1/1/c1/1
ipv4 {
primary {
address 10.20.16.170
prefix-length 30
}
}
(pr)[/configure router "Base"]
A:admin@sr101# info bgp
admin-state enable
import {
policy ["direct-import"]
}
export {
policy ["direct"]
}
group "gre-group1" {
type external
peer-as 64510
local-as {
as-number 64500
}
}
neighbor "10.20.16.169" {
group "gre-group1"
}
GRE Tunnel destination IP is learned and installed in the route table
A:admin@sr101# show router route-table 192.168.0.0/29
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
192.168.0.0/29 Remote BGP 00h02m47s 170
10.20.16.169 0
-------------------------------------------------------------------------------
(pr)[/configure]
A:admin@sr101# info port 1/1/c5/1
admin-state enable
ethernet {
mode hybrid
dot1x {
tunneling true
}
}
A:admin@sr101# info port-xc
pxc 1 {
admin-state enable
port-id 1/1/c5/1
}
(pr)[/configure]
A:admin@sr101# info port pxc-1.a
admin-state enable
(pr)[/configure]
A:admin@sr101# info port pxc-1.b
admin-state enable
Check PXC port status:
A:admin@sr101# show port pxc
===============================================================================
Ports on Port Cross Connect 1
===============================================================================
Port Admin Link Port Cfg Oper LAG/ Port Port Port C/QS/S/XFP/
Id State State MTU MTU Bndl Mode Encp Type MDIMDX
-------------------------------------------------------------------------------
pxc-1.a Up Yes Up 9208 9208 - hybr dotq cgige
pxc-1.b Up Yes Up 9208 9208 - hybr dotq cgige
===============================================================================
(pr)[/configure]
A:admin@sr101# info service ies "GRE-Svc-1"
admin-state enable
service-id 110
customer "1"
interface "Public-Cust-svc-1" {
sap pxc-1.b:0 {
}
ipv4 {
primary {
address 10.20.16.173
prefix-length 30
}
}
}
Service status:
A:admin@sr101# show service id "GRE-Svc-1" base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 110 Vpn Id : 0
Service Type : IES
Name : GRE-Svc-1
Admin State : Up Oper State : Up
SAP Count : 1 SDP Bind Count : 0
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:pxc-1.b:0 q-tag 9208 9208 Up Up
===============================================================================
A:admin@sr101# show router bgp neighbor "10.20.16.169" advertised-routes
===============================================================================
BGP Router ID:10.10.10.101 AS:64500 Local AS:64500
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.20.16.172/30 n/a None
10.20.16.170 None n/a
64500 -
-------------------------------------------------------------------------------
After creating the Public IES service and advertising the subnet to the Internet Peer, we should now be able to ping the GRE Tunnel Destination IP with our GRE Tunnel Local IP as the source.
A:admin@sr101# ping 192.168.0.1 source-address 10.20.16.174
PING 192.168.0.1 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=3.96ms.
64 bytes from 192.168.0.1: icmp_seq=2 ttl=63 time=4.82ms.
(pr)[/configure]
A:admin@sr101# info service vprn "210"
admin-state enable
customer "1"
autonomous-system 64500
router-id 10.10.10.101
interface "Internal" {
admin-state enable
tunnel true
ipv4 {
addresses {
address 10.0.0.1 {
prefix-length 30
}
}
}
sap pxc-1.a:0 {
ip-tunnel "gre-tunnel-1" {
admin-state enable
delivery-service "GRE-Svc-1"
remote-ip-address 192.168.0.1
local-ip-address 10.20.16.174
gre-header {
admin-state enable
}
}
}
}
Verify VPRN service:
A:admin@sr101# show service id 210 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 210 Vpn Id : 0
Service Type : VPRN
MACSec enabled : no
Name : 210
Admin State : Up Oper State : Up
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:pxc-1.a:0 q-tag 9208 9208 Up Up
===============================================================================
A:admin@sr101# show router 210 interface
===============================================================================
Interface Table (Service: 210)
===============================================================================
Interface-Name Adm Opr(v4/v6) Mode Port/SapId
IP-Address PfxState
-------------------------------------------------------------------------------
Internal Up Up/Down VPRN I* pxc-1.a:0
10.0.0.1/30 n/a
-------------------------------------------------------------------------------
Interfaces : 1
===============================================================================
A:admin@sr101# show ip tunnel
====================================================================
IP Tunnels
====================================================================
TunnelName SapId SvcId Admn
Local Address DlvrySvcId Oper
OperRemoteAddress
--------------------------------------------------------------------
gre-tunnel-1 pxc-1.a:0 210 Up
10.20.16.174 Cogent-Ope Up
192.168.0.1
--------------------------------------------------------------------
A:admin@sr101# show ip tunnel "gre-tunnel-1"
=========================================================================
IP Tunnel Configuration Detail
=========================================================================
Service Id : 210 Sap Id : pxc-1.a:0
Tunnel Name : gre-tunnel-1
Description : None
GRE Header : Yes
Delivery Service : GRE-Svc-1
GRE Keys Set : False
GRE Send Key : N/A GRE Receive Key : N/A
Admin State : Up Oper State : Up
Source Address : 10.20.16.174
Remote Address : 192.168.0.1
Backup Address : (Not Specified)
Oper Remote Addr : 192.168.0.1
Oper Flags : None
Transport Profile: (Not Specified)
Last Oper Changed: 10/27/2023 16:07:51
TCP MSS Adjust
Public : Disabled
Private : Disabled
=========================================================================
In this example, we are configuring a loopback inside the private VPRN and using that as the local IP for BGP. A static route with next hop as GRE tunnel is configured for the remote BGP neighbor IP.
(pr)[/configure]
A:admin@sr101# info service vprn "210"
interface "loop1" {
loopback true
ipv4 {
primary {
address 172.32.1.1
prefix-length 32
}
}
}
static-routes {
route 172.16.1.1/32 route-type unicast {
next-hop "10.0.0.2" {
admin-state enable
} } }
bgp {
admin-state enable
router-id 10.10.10.101
export {
policy ["export-direct"]
}
group "gre-1" {
type internal
peer-as 64500
local-address 172.32.1.1
local-as { as-number 64500 }
}
neighbor "172.16.1.1" {
group "gre-1"
}
}
Verify BGP:
A:admin@sr101# show router "210" bgp neighbor "172.16.1.1"
===============================================================================
BGP Neighbor
===============================================================================
Peer : 172.16.1.1
Group : gre-1
-------------------------------------------------------------------------------
Peer AS : 64500 Peer Port : 179
Peer Address : 172.16.1.1
Local AS : 64500 Local Port : 49832
Local Address : 172.32.1.1
Peer Type : Internal Dynamic Peer : No
State : Established Last State : Active
A:admin@sr101# show router "210" bgp neighbor "172.16.1.1" advertised-routes
===============================================================================
BGP Router ID:10.10.10.101 AS:64500 Local AS:64500
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.0.0.0/30 100 None
172.32.1.1 None n/a
No As-Path -
i 172.32.1.1/32 100 None
172.32.1.1 None n/a
No As-Path -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
Wireshark capture showing GRE header
